JP4814483B2 - Image forming apparatus, image forming method, program, and storage medium - Google Patents

Description

The present invention relates to an image forming apparatus, an image forming method, a program, and a storage medium based on a security policy .

  In the field of dealing with documents such as offices, there is always a desire to control the security of the documents. For example, when a secret document is copied, it is necessary to obtain the permission of the manager in charge. Particularly, it is important to control a policy for a document which is a container for information, particularly a policy regarding confidentiality. Generally, ensuring the security of an information system is broadly divided into ensuring confidentiality, integrity, and availability, but integrity and availability can be secured to a level that is virtually free of problems if the system administrator appropriately manages and manages it. There are many. On the other hand, in order to ensure confidentiality, it is presumed that the policy must be shared and thoroughly made by members belonging to the user organization.

  In reality, many companies are trying to control security by setting document management rules. However, for ensuring security in an actual office system, it is necessary to individually set security settings for various devices constituting the office system, not for documents.

  Various conventional techniques related to a method of performing access control based on a security policy are disclosed (Patent Document 1 to Patent Document 14).

  For example, in access control, it is described that conditional access permission is evaluated (Patent Document 1).

  For example, it describes security management and auditing simplification of a corporate information system according to an information security policy (Patent Document 2).

  However, in particular, the above-mentioned Patent Document 1 does not mention processing of data after access, particularly reading, in the access control system for data files.

  In the above-mentioned Patent Document 2, a security policy, a system, and a control unit are configured, and a control unit is extracted from a DB (database) in which each combination is registered, and the system is controlled to match the policy. However, the means for auditing the state is only controlled by the control means registered for the system, and the degree of freedom of implementation is low.

  Further, in the method of inputting the operator ID of Patent Document 7, taking out the ID from the document, and controlling copying, control based on a fixed rule of rejecting copying or permitting copying and recording a log. It can only be done.

  In the method of extracting and checking a mark indicating a confidential document from the image of Patent Document 8, it is determined how to perform the operation based on the obtained information, so that the flexibility of the rule is lacking.

  In the method of controlling the output destination based on the output restriction data included in the print information of Patent Document 9, a rule must be included in the print information.

  In the method of reading the image of Patent Document 10 and storing it together with the password and permitting it when the passwords match at the time of output, the criterion to judge is only the password, and the operation controlled by it is permitted or not permitted Only.

  In the method of controlling the permission or disapproval of the operation of all MFPs on the network by one MFP among the plurality of MFPs on the network of Patent Document 11, the controlled operation is permitted or not permitted. Only permission.

In the method of determining permission of use and permission of operation for each of the plurality of devices in Patent Document 12, only permission and non-permission can be controlled, and only control based on user information can be performed. As described above, the problems with the prior art are that the rules are limited and inflexible, and that the rules are only predetermined. That is, in the conventional input / output device, only “permission” and “prohibition” of operations for “user” and “document” IDs are determined in advance.
JP 2001-184264 A JP 2001-273388 A JP 2001-337864 A JP 09-293036 A Japanese Patent Application Laid-Open No. 07-141296 Japanese Patent No. 0273596 Japanese Patent No. 3203103 JP 7-58950 A JP 7-152520 A JP-A-10-191072 JP 2000-15898 A JP 2000-357064 A JP 2001-125759 A JP 2001-325249 A.

  In such a security implementation method, when security for document printing is executed, first, a security enforcer needs knowledge about security of various devices. Second, security must be executed for all devices one by one. Third, it is necessary to easily grasp the security state of the entire system, but it is difficult to grasp. Fourth, even if security is implemented for each device, it cannot be realized that the security of the document is actually protected. As described above, there are problems as described above in ensuring security in an actual office system.

  The present invention aims to solve the above-mentioned problems.

In particular object of the present invention is based rather on the security policy document, the image forming apparatus is to provide a storage medium storing an image forming method, a program, and that program.

In order to solve the above problems, the present invention provides a document attribute in which identification information defined for a document is associated with a document attribute including a document category and a security level in advance. Document attribute management means for managing management information ;
Identification information recognition means for recognizing data acquired by a predetermined reading operation on a document as the identification information;
Document attribute acquisition means for acquiring the document attribute corresponding to the identification information recognized by the identification information recognition means by referring to the document attribute management information ;
Based on a document security policy corresponding to the category and security level acquired by the document attribute acquisition unit, whether the predetermined operation is permitted or not is determined for each predetermined operation that is a predetermined operation of the image forming apparatus. In addition, in the case of permission, an operation requirement selection means for selecting an operation requirement in the case of permission and outputting the determination and selection result ;
Operation control means for controlling execution of the predetermined action based on the determination and selection result output by the action requirement selection means,
The above security policy is
The predetermined operation every authorization operation or non-permission is defined, if該許friendly is defined, the operation requirements for permitting operation is defined,
The operation control unit instructs the data processing unit that performs data processing of the document to prohibit data processing when the determination and selection result of the operation requirement selection unit is not permitted, and selects the operation requirement. If the determination result of the means is permission, the data processing unit is instructed to perform data processing so as to satisfy the requirements,
The operation requirements defined in the security policy are configured to be security requirements for the document .

  In such an image forming apparatus, operation requirements (operation conditions) can be selected based on the read identification information. That is, for a paper document, for example, printing, copying, faxing, and the like can be controlled so as to satisfy the operational requirements according to the organizational security policy.

According to a second aspect of the present invention, the predetermined operation can be configured to form an image with electronic data.

Further, the present invention is as described in claim 3, the predetermined operation may be configured to print the document on paper.

Moreover, as described in claim 4 , the present invention can be configured to further include user attribute acquisition means for acquiring a user attribute relating to a user who requests the predetermined operation .

Further, according to the present invention , the user attribute acquisition unit includes:
User identification information acquisition means for acquiring user identification information for identifying the user by input from the user;
User attribute management means for managing user attribute management information in which the user identification information and the user attribute are associated in advance;
User authentication means for authenticating the user based on the user identification information;
User attribute acquisition means for acquiring the user attribute corresponding to the user identification information acquired by the user identification information acquisition means by referring to the user attribute management information based on an authentication result by the user authentication means; It can comprise so that it may have.

Further, the present invention is as described in claim 6, said user attribute obtaining means, and the user identification information acquiring means for acquiring user identification information for identifying the user from the user, the user authenticates, User attribute requesting means for requesting the user attribute from an external server providing the user attribute can be provided.

Further, the present invention is as described in claim 7, said operating requirements can be configured to indicate to embed in the document against the execution of the predetermined operation, the electronic watermark.

Further, the present invention is as described in claim 8, said operating requirements, upon execution of the document against the predetermined operation can be configured to indicate that embedding a displayable labels .

Further, the present invention is as described in claim 9, as the display label includes authentication data of the user who requested at least the predetermined operation, the time stamp of the time of requesting the predetermined operation Can be configured.

Further, the present invention is as described in claim 10, said operational requirements, when the document against the execution of the predetermined operation, the authentication data of the user who requested at least the predetermined operation by the predetermined operation The document data of the document to be generated and the time stamp when the reading is instructed can be recorded in a log.

  As means for solving the above problems, the present invention provides an image forming method and program for causing a computer to perform processing in the image forming apparatus, and a computer-readable storage medium storing the program. You can also.

  The present invention relates to a system for ensuring the security of an information system, and in particular, can provide an image forming apparatus and an image forming method for reading a document and network distribution based on a security policy.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  Examples of the present invention are described in detail below.

  In this embodiment, in order to share a security policy for a document between different types of systems, the security policy is described using the following mechanism. Here, the described security policy is called a document security policy (DSP).

  FIG. 1 shows an example of a security policy. For example, the organization to which the user belongs is assumed to have a security policy as shown in FIG. 1 for each document security level, such as a confidential document, a confidential document, or a confidential document.

  In order to be able to describe such a policy as a DSP, the following method is used.

  First, the documents are classified according to the confidentiality level (confidentiality, confidentiality, confidentiality, etc.) and the category (HR document, technical document, etc.). This combination of sensitivity level and category is called a document security label. This security label is actually given as attribute information to each document.

  An example of the classification method as described above is shown in FIG. FIG. 2 shows an example of a document label term file. A document label term file 300 as shown in FIG. 2 is a file for managing a list of labels given as attribute information to individual documents, and is described in XML, for example.

  The DSP specifies the operations that are permitted on a document according to the document's confidentiality level and category, and the requirements (permissions of the administrator responsible) to be executed when the operation is permitted. Get, print a label, etc.). It is the document label term file 300 of FIG. 2 that describes such document confidentiality levels and categories.

  In FIG. 2, two types of categories are indicated by a description 311 and a description 321 indicated by <enumeration> to </ enumeration>.

  In the description 311, a description 312 indicating <enum_id> doc_category </ enum_id> indicates that the category identification information is “doc_category”. A description 313 indicating <enum_name> Document Category </ enum_name> indicates that the name of the category is “Document Category”. A description 314 indicating <description> document category type </ description> indicates an explanation “document category type” indicating what this category classifies.

  Items 315, 316, and 317 indicating <item> to </ item> indicate three categories of items. The description 315 indicates that the item name is “internal_doc” by the description indicating <name> internal_doc </ name>, and the description “internal” of the item by the description indicating <description> general internal document </ description>. "General document".

  The description 316 indicates that the item name is “human_resource_doc” by the description indicating <name> human_resource_doc </ name>, and the description “HR” of the item by the description indicating <description> HR related document </ description>. Related documents ".

  The description 317 indicates that the item name is “technical_doc” by a description indicating <name> technical_doc </ name>, and the description “Technical” of the item by a description indicating <description> technical document </ description>. Related documents ".

  Similarly, in the description 321, a description 322 indicating <enum_id> doc_security_level </ enum_id> indicates that the category identification information is “doc_security_level”. A description 323 indicating <enum_name> Document Security Level </ enum_name> indicates that the name of the category is “Document Security Level”. A description 324 indicating <description> type of document security level </ description> indicates an explanation “type of document security level” indicating what this category classifies.

  Items of three categories are indicated by description 325, description 326, and description 327 indicating <item> to </ item>. The description 325 indicates that the item name is “basic” by the description indicating <name> basic </ name>, and the description “confidential” of the item by the description indicating <description> confidential </ description>. Show.

  The description 326 indicates that the item name is “medium” by the description indicating <name> medium </ name>, and the description “secret” of the item is indicated by the description indicating <description> secret </ description>. Show.

  The description 327 indicates that the item name is “high” by the description indicating <name> high </ name>, and the description “top secret” of the item is indicated by the description indicating <description> confidential </ description>. Show.

  As described above, the document label term file 300 defines the types of document categories such as in-house general documents, personnel related documents, and technical related documents. Also, the types of document security levels such as confidential, confidential, and confidential are defined.

  3 to 13 are diagrams showing examples of policy term files. 3 to FIG. 13, one policy term file 400 is configured.

  The policy term file 400 as shown in FIGS. 3 to 13 describes the classification of system types and lists operations for each system type. For each operation, requirements that can be supported when the operation is executed are listed. The policy term file 400 is described in XML, for example.

  In FIG. 3, the method of listing and describing is shown by repeating the description from <enumeration> to </ enumeration> in the same manner as the description method in the document label file 300 shown in FIG. Since the detailed description from <enumeration> to </ enumeration> is the same as the description method in the document label file 300 shown in FIG. 2, only a brief description will be given here.

  For example, in FIG. 3, system types are listed by description 411. According to the description 411, “copier”, “printer”, “facsimile”, “scanner”, “document repository”, and “electronic conference system” are described as “system type”.

  Then, for example, as shown in FIG. 4, each operation for each system type is listed by descriptions 421 to 471.

  In the description 421, “copying from paper to paper” is described as “operation related to the copying machine”. In the description 431, “print electronic document on paper” is described as “operation related to the printer”. In the description 441, “fax transmission” and “fax reception” are described as “operation related to fax”. In the description 451, “scan a paper document into an electronic document” is described as “operation related to the scanner”.

  In the description 461, “operation related to the document repository” includes “save”, “revise / edit”, “delete / destroy”, “reference”, “distribute over network (send)”, “disk” “Distribute (send)” and “archive / backup”. In the description 471, “use in conference” is described as “operation related to the electronic conference system”.

  Further, for example, as shown in FIGS. 6 to 13, requirements applicable for each operation are listed by descriptions 481 to 601.

  In the description 481, “explicit permission”, “record of audit trail”, and “record with audit trail image” are described as “requirements related to copying”.

  In the description 491, as “requirements related to printing”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with image of audit trail”, “paper output by printed person”, “trust” “Use of channel (encryption of print data)” and “embedment of tracking information in printout (watermark, label, barcode)” are described.

  In description 501, as “requirements related to fax transmission”, “explicit permission (use restriction)”, “recording audit trail”, “recording with audit trail image”, “restricting destination”, “confidential mode” “Transmission”, “Use of trusted channel”, “Embed tracking information in transmission fax (watermark, label, barcode)”, and “Non-repudiation (acquisition of receipt)” are described.

  In the description 511, as “requirements for receiving a fax”, “record of audit trail”, “record with image of audit trail”, “retrieve of confidential fax destination”, “trust time stamp”, and “received fax” "Tracking information embedding (watermark, label, barcode)" is described.

  In the description 521, “explicit permission (use restriction)”, “record of audit trail”, “record with audit trail image” as “requirement related to scanning (retention requirement is applied after saving)” And “Embed Tracking Information (Watermark, Label, Barcode) in Scanned Image” is described.

  In the description 531, “explicit permission (use restriction)”, “recording audit trail”, “encryption of stored data”, and “tamper protection of stored data” are described as “requirements related to storage”. The

  In the description 541, “explicit permission (use restriction)”, “record audit trail”, and “version management” are described as “requirements related to revision”.

  In the description 551, “explicit permission (use restriction)”, “record of audit trail”, “record with image of audit trail”, and “complete deletion” are described as “requirements related to deletion / destruction”. The

  In the description 561, as “requirement related to reference”, “explicit permission (use restriction)”, “recording of audit trail”, “permitted to refer only to data prohibited for editing”, “permitted to refer only to data prohibited to print”, “Reference permission for reference data only” and “permission for reference only to user-limited data” are described.

  In the description 571, as “requirements related to network distribution (transmission)”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with audit trail image”, “use of trust channel (transmission) Data encryption) ”,“ address restrictions (distribution only within the company, etc.) ”,“ distribution of only edit-prohibited data ”,“ permission of prohibition of printing only ”,“ permission of distribution of data only for reference location ”, and “Permission to distribute data only for users” is described.

  In the description 581, as “requirements related to disk distribution (delivery)”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with image of audit trail”, “encryption of sent data” , “Tampering protection of sending data”, “Allow sending only prohibited data”, “Allow sending only printing prohibited”, “Allow sending only reference location data”, and “Allow sending only user-only data”. be written.

  In the description 591, “explicit permission (use restriction)”, “recording audit trail”, “encryption of archive data”, and “tamper protection of archive data” are included as “requirements related to archive backup”. be written.

  In the description 601, “explicit permission (use restriction)”, “record of audit trail”, and “record with audit trail image” are described as “requirements related to use in a meeting”.

  A DSP based on the document label term file of FIG. 2 and the policy term file of FIGS. 3 to 13 will be described with reference to FIGS. 14 to 22 are diagrams showing examples of policy files. Based on the document label term file 300 shown in FIG. 2 and the policy term file 400 shown in FIGS. 3 to 13, the security policy in the user's organization is, for example, DSP 2000 shown in FIGS. 14 to 22. Is described in XML and constitutes one policy file.

  In the DSP 2000 as shown in FIGS. 14 to 22, a policy is indicated by a description 2002 indicated by <policy> and a description 2002 indicated by </ policy>.

  In the description 2011 indicating <acc_rule> in FIG. 14 to the description 2012 indicating </ acc_rule> in FIG. 16, the description 2013 indicating <doc_category> ANY </ doc_category> and <doc_security_level> basic </ doc_security_level> A description 2017 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of “ANY (non-limited)” and a document security level “basic (basic level)” A policy for each operation performed by a user having a user attribute having a user category “ANY (unlimited)” and a user security level “ANY (unlimited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or denial (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  In the description 2021 indicating <acc_rule> in FIG. 16 to the description 2022 indicating </ acc_rule> in FIG. 19, the description 2023 indicating <doc_category> ANY </ doc_category> and <doc_security_level> medium </ doc_security_level> A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document with a document attribute of “ANY (non-limited)” and document security level “medium (medium level)” 2027, each operation performed by a user having a user attribute “DOC-CATEGORY (type of document category)” (refer to descriptions 312, 313, and 314 in FIG. 2) and a user security level “ANY (unlimited)”. Policies are described. For each description from <operation> to </ operation>, permission (<allowed />) or denial (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  Further, for a document having the same document attribute, the description 2028 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> in FIG. A policy for each operation performed by a user having a user attribute having a security level “ANY (non-limited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or denial (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  In the description 2031 indicating <acc_rule> in FIG. 19 to the description 2032 indicating </ acc_rule> in FIG. 19, a document category “<doc_category> ANY </ doc_category>” and “doc_security_level> high </ doc_security_level>” A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of “ANY (unlimited)” and document security level “high” For each operation performed by a user having a user attribute “DOC-CATEGORY (type of document category)” (see descriptions 312, 313, and 314 in FIG. 2) and a user security level “ANY (unlimited)” Policies are described. For each description from <operation> to </ operation>, permission (<allowed />) or denial (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  Next, the structure of the DSP 2000 of FIGS. 14 to 22 will be described in detail below with reference to FIGS.

  FIG. 23 is a diagram illustrating an example of DSP identification information. In the identification information 210 of the DSP 2000, description information 211 to 213 surrounded by <about_this_policy> and </ about_this_policy> describes identification information for identifying the DSP 2000.

  A description 211 indicating <serial_number> RDSP2023 </ serial_number> describes a serial number for distinguishing the DSP 2000 from other DSPs.

  In the description 212 indicated by <terminology_applied> RDST9487 </ terminology_applied>, the serial number of the policy term file 400 corresponding to the DSP 2000 is described. Since this definition file may be updated, it is recorded in order to clarify which policy term file this DSP 2000 is described on. The description 213 includes the title of the DSP 2000 by the description indicating <title> DOCUMENT-SECURITY-POLICY </ title>, the version number by the description indicating <version> 1.20 </ version>, <creation_date> 2002/02/18 22: 30:24 </ creation_date> description, creation date and time, <creator> Taro Tokyo </ creator> description, creator, <description> sample document security policy. </ Description> description, etc. Bibliographic information is described.

  The DSP 2000 identification information ends with </ about_this_policy>.

  Next, following the identification information of the DSP 200 described above, the contents of the policy are described in a range surrounded by <policy> and </ policy>. FIG. 24 is a diagram illustrating a description example for explaining the structure of the DSP.

  The policy content 220 shown in FIG. 24 is recorded using a hierarchical structure as described below.

  The policy <policy> is composed of a plurality of access control rules <acc_rule> (description 221). One access control rule <acc_rule> (description 221) uniquely specifies the category <doc_category> and level <doc_security_level> of the target document (description 222), and further sets an access control list <acl> (description 223). It is configured to include one.

  The access control list <acl> (description 223) is composed of a plurality of access control elements <ace> (description 224).

  Each access control element <ace> (description 224) uniquely specifies a target user category <user_category> (description 225) and level <user_security_level> (description 226), and further includes a plurality of operations <operation> (description). 227).

  Each <operation> (description 227) includes one operation name <name> (description 228), one prohibited <denied /> (description 229), one permission <allowed /> (description 232), or a plurality of <Requirement> (description 230 and description 231).

  In the description 222, “ANY” described in the document category <doc_category> and the user category <user_category_level> indicates that it applies to any category and level. Further, “DOC-CATEGORY” of the user category <user_category> indicated by the description 225 indicates that the user category is applied when it is the same as the document category.

  In this embodiment, <denied /> (description 229) is specified for the prohibited operation, but if it is not described in the DSP 2000, it indicates that access is not permitted. May be.

  Thus, by describing the DSP, it is possible to describe what kind of user type (category, level) can be operated on the document according to the document type (category, level). . Still further, for the document, the user can clearly describe what requirements must be met if the operation is possible.

  Then, by describing the DSP in platform-independent XML as described above, this DSP can be used in common between different types of systems. In particular, the target to which the security policy is to be applied is not limited to an electronic document but must be applicable to a paper document. Therefore, the document label file in FIGS. 3 to 13 and the DSP 2000 in FIGS. As described, operations related to paper documents (hardcopy, scan, etc.) can also be specified.

  Among the requirements shown in FIG. 24 of the present embodiment, there is a description 231 indicating the following <requirement> explicit_authorization </ requirement>. This is a requirement that “if an explicit permission is obtained from the person in charge of managing the document, the operation is permitted”. All, when the operation is controlled according to this DSP, there is a possibility that the degree of freedom is lost. However, by making it possible to specify this explicit permission requirement, flexible operation control is possible.

  In addition, as a feature of this embodiment, by making it possible to specify the requirement of “explicit permission”, an operation that can be executed if explicit permission is obtained, and explicit permission are obtained. It can be distinguished from operations that must be prohibited.

  Therefore, an operation that is not described in the DSP or specified by <denied /> is an operation that must be prohibited even if explicit permission is obtained. This makes it possible to accurately define the intention of the side describing the policy, and it is possible to prescribe to prevent a situation in which an operation is executed by giving permission by mistake. .

  Next, another description form of the DSP of the present invention will be described with reference to FIG. FIG. 25 is a diagram illustrating another description example of the DSP. The policy content 240 shown in FIG. 26 describes a nested structure such as <operation> <allowed /> </ operation> for each operation when there are many operations that are allowed unconditionally or operations that are prohibited. Since this is inefficient, a description 243 indicating <allowed_operations> that enumerates operations allowed unconditionally and a description 241 indicating <denied_operations> that enumerates operations that are not allowed may be used.

  A description 242 indicating <requirement> explicit_authorization </ requirement> is the same as the description in FIG.

  FIG. 26 shows various media for storing and distributing the DSP described above.

  As described above, the DSP 2000 shown in FIG. 26 is described in XML (Extensible Markup Language). And it can record as an electronic file. Further, for example, a hard disk 51, a magneto-optical disk 52, a flexible disk 53, a CD-ROM, a CD-R, a CD-RW, a DVD, a DVD-R, a DVD-RAM, a DVD in which the electronic file is stored. A storage medium such as the optical disk 54 such as −RW, DVD + RW, and DVD + R can be created. In addition, the electronic DSP 2000 can be transmitted via the network 56 using the computer 55.

  The DSP 2000 is not a description of a security policy for a specific system, but a description of a security policy that can be commonly used by a plurality of different systems. Therefore, by creating a storage medium storing this security policy description and distributing it or transmitting it via a network, it becomes easy to use it in a plurality of systems in common.

  FIG. 27 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. In FIG. 27, an image forming apparatus 1000 is an apparatus controlled by a computer, and includes a CPU (Central Processing Unit) 11, a ROM (Read-Only Memory) 12, a RAM (Random Access Memory) 13, and a nonvolatile memory. RAM (non-volatile random access memory) 14, real-time clock 15, Ethernet (registered trademark) I / F (Ethernet (registered trademark) Interface) 21, USB (Universal Serial Bus) 22, IEEE (Institute of Electrical and Electronics Engineers) 1284 23, a hard disk I / F 24, an engine I / F 25, an RS-232C I / F 26, and a driver 27, which are connected to the system bus B.

  The CPU 11 controls the image forming apparatus 1000 according to a program stored in the ROM 12. In the RAM 13, for example, areas are allocated to resources connected to the interfaces 21 to 26. The nonvolatile RAM 14 stores information necessary for processing by the CPU 11 to control the image forming apparatus 1000. The real-time clock 15 measures the current time and is used by the CPU 11 to synchronize processing.

  An Ethernet (registered trademark) interface cable such as 10BASE-T or 100BASE-TX is connected to the Ethernet (registered trademark) I / F 21. A USB interface cable is connected to the USB 22. An IEEE1284 interface cable is connected to the IEEE1284 23.

  A hard disk 34 is connected to the hard disk I / F 24, and document data of a document to be printed or image data after print processing transmitted via the network is stored in the hard disk 34 via the hard disk I / F 24. . Connected to the engine I / F 25 are a plotter 35-1 for printing on a predetermined medium based on document data, a scanner 35-2 for capturing image data, and the like. An operation panel 36 is connected to the RS-232C I / F 26 to display information to the user and acquire input information or setting information from the user.

  A program that realizes processing performed by the image forming apparatus 1000 is provided to the image forming apparatus 1000 by a storage medium 37 such as a CD-ROM. That is, when the storage medium 37 storing the program is set in the driver 27, the driver 27 reads the program from the storage medium 37, and the read program is installed in the hard disk 34 via the system bus B. When the program is activated, the CPU 11 starts its processing according to the program installed on the hard disk 34. The storage medium 37 for storing the program is not limited to a CD-ROM, and any storage medium that can be read by a computer may be used. The program may be downloaded via a network and installed on the hard disk 34.

  The image forming apparatus that operates according to the security policy will be described in detail below with reference to FIGS. 28, 29, and 30. FIG.

  FIG. 28 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy.

  28 mainly includes a reading unit 71, a reading condition acquisition unit 72, a data transmission destination acquisition unit 73, a data processing unit 74, a data transmission unit 75, a policy, and the like. An execution unit 1001, read image data 61, and accumulated data 62 are included.

  The policy execution unit 1001 includes a document attribute acquisition unit 1011, an operation requirement selection unit 1012, an operation control unit 1013, and a user attribute acquisition unit 1021. The document attribute acquisition unit 1011 acquires the document attribute from the paper document 60 or the read image data 61 and notifies the operation requirement selection unit 1021 of the document attribute.

  On the other hand, when the user attribute acquisition unit 1021 acquires user information input by the user, the user attribute acquisition unit 1021 notifies the operation requirement selection unit 1012. The operation requirement selection unit 1012 selects a requirement for permission according to the DSP 2000 and notifies the operation control unit 1013 of the result. The operation control unit 1013 instructs data processing on the image data of the read paper original 60.

  In the policy execution unit 1001, a portion indicated by a dotted line may be omitted.

  The reading unit 71 is a processing unit that reads (scans) the paper document 60 in accordance with the reading condition input by the user notified from the reading condition acquisition unit 72, and the read image data is stored in the read image data 61. The Also, the document attribute acquisition unit 1011 is notified of the document attribute acquired from the image data 61.

  The reading condition acquisition unit 72 acquires the reading condition input by the user and notifies the reading unit 71 and the data processing unit 74 of the reading condition.

  The data transmission destination acquisition unit 73 is a processing unit that acquires the data transmission destination input by the user and notifies the data transmission unit 75 of the data transmission destination.

  The data processing unit 74 performs data processing on the read image data according to the reading conditions input by the user notified from the reading condition acquisition unit 72 so as to satisfy the requirements provided by the operation control unit 1013, and the data processing is performed. The stored image data is stored in the storage data 62.

  The data transmission unit 75 transmits the image data to be processed extracted from the accumulated data 62 to the transmission destination notified from the data transmission destination acquisition unit 73 so as to satisfy the requirement notified from the operation control unit 1013.

  When there is no need to transmit image data to the outside, the data transmission unit 28 may be omitted. Further, the image data may be stored in the storage medium 37.

  In FIG. 28, the image forming apparatus 1000 as a reading apparatus is described as being configured by dedicated hardware, but may be configured by a general-purpose computer and a program executed on the computer.

  A program for executing the embodiment of the present invention described below on a computer is recorded on a computer-readable storage medium, and is read by the computer before the execution. Such a program can also be distributed via a computer network.

  FIG. 29 is a diagram illustrating an example of a simplified DSP. For convenience of explanation, the DSP 2000 will be described using a simplified DSP. In the DSP 2100 shown in FIG. 29, rules 1 to 3 are shown as follows.

  Rule 1 includes a portion from <acc_rule> on the fourth line in FIG. 29 to <user_security_level> ANY </ user_security_level> on the tenth line, and from the eleventh line <operation> to the fourteenth line </ It is described by the part up to operation>.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 1 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates that the security level of the document is basic.

  <User_category> ANY </ user_category> in the ninth line indicates that the user category is not involved.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that the user's security level is not concerned.

  Further, <name> scan </ name> and <allowed /> in the 12th and 13th lines indicate that reading is permitted without requirement.

  Therefore, according to rule 1, the security level of the document is “basic” regardless of the document category according to the fifth, sixth, ninth, tenth, tenth, twelfth, and thirteenth lines. In the case of "", reading is permitted without requirement regardless of the category of the user and regardless of the security level of the user.

  Next, rule 2 includes the part from <acc_rule> on the fourth line in FIG. 29 to <user_security_level> ANY </ user_security_level> on the tenth line, and the fifteenth line from the <operation> on the fifteenth line. Described by the part up to the eye </ operation>.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 2 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates that the security level of the document is basic.

  <User_category> ANY </ user_category> in the ninth line indicates that the user category is not involved.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that the user's security level is not concerned.

Furthermore, from the 16th line to the 19th line
<name> net_delivery </ name>
<requirement> audit </ requirement>
<requirement> print_restriction </ requirement>
<requirement> trusted_channel </ requirement>
Indicates that network delivery is permitted when meeting the requirements of “logging”, “printing restrictions”, and “using a trusted channel”.

  Therefore, in rule 2, the security level of the document is “basic” regardless of the document category, according to the fifth, sixth, ninth, tenth, and sixteenth to nineteenth lines. ”, Regardless of the user's category and regardless of the user's security level, network delivery will require the requirements of logging, printing restrictions, and using a reliable channel. Indicates that it is allowed when meeting.

  Then, rule 3 includes the part from <acc_rule> on the 24th line in FIG. 29 to <user_security_level> ANY </ user_security_level> on the 30th line and the 35th line from the 31st line <operation>. It is described by the part up to </ operation>.

  <Doc_category> ANY </ doc_category> on the 25th line indicates that the document category is not involved.

<Doc_security_level> high </ doc_security_level> on line 26 is
Indicates the case where the security level of the document is high.

  <User_category> DOC-CATEGORY </ user_category> on the 29th line indicates that the category of the user is the same as the category of the document.

  <User_security_level> ANY </ user_security_level> on the 30th line indicates that the user's security level is not concerned.

From the 32nd line to the 34th line,
<name> scan </ name>
<requirement> audit </ requirement>
<requirement> embed_trace_info </ requirement>
Is permitted when it meets the requirements of “logging” and “embedding traceable information”.

  Therefore, in rule 3, the security level of the document is “high” regardless of the document category according to the 25th line, the 26th line, the 29th line, the 30th line, the 31st line to the 34th line. ”If the user's category is the same as the document's category and the reading meets the requirements of logging and embedding traceable information regardless of the user's security level Indicates that it is allowed.

  Here, “embedding traceable information” may include, for example, embedding an electronic watermark, embedding a displayable label, or adding document attribute information. The displayable label may include authentication data of the user who instructed reading and a time stamp at the time of instructing reading. Further, in “recording the log”, the authentication data of the user who instructed reading, the document data to be read, and the time stamp at the time of instructing reading may be recorded in the log. In addition, in “recording the log”, the authentication data of the user who instructed the network distribution, the information of the network distribution destination, the document data to be read, and the time stamp at the time of instructing the reading are recorded in the log. It may be.

  A detailed operation will be described with reference to FIG.

  Based on the DSP 2100 shown in FIG. 29 described above, for example, when a document whose security level is “basic” is to be read, there is no requirement to be extracted.

  Further, based on the security policy shown in FIG. 29 described above, for example, when a document whose security level is “high” is to be read, as described above, “recording log” and “trackable” “Embedding information” is a requirement for reading. The contents of “recording log” and “embedding traceable information” are the same as described above.

  Next, when there is no requirement to be extracted as in the case where the security level is “basic”, the operation control unit 1013 instructs the data processing unit 71 to read the document, and the user Acquires the document data and ends.

  On the other hand, when there is a requirement to be extracted as in the case where the security level is “high”, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied, and the determination result is determined. The operation control unit 1013 is notified.

  When the determination result by the operation requirement selection unit 1012 indicates that all requirements cannot be satisfied, the operation control unit 1013 instructs the data processing unit 74 to prohibit data processing, and the data processing unit 74. Cancels the read data and ends. The user is notified that data processing cannot be performed.

  On the other hand, if the determination result by the operation requirement selection unit 1012 indicates that all requirements can be satisfied, the operation control unit 1013 data processing unit 74 is instructed to perform data processing so as to satisfy the requirement. . The user obtains the document data and ends.

  In this case, the following processing is executed.

  The user attribute acquisition unit 1021 issues a user ID input request to the user who has issued a reading instruction from the operation panel 36. The user inputs a user ID from the operation panel 36. The user attribute acquisition unit 1021 acquires the category and security level corresponding to the input user ID registered in the database 102 from the user ID, and notifies the operation requirement selection unit 1021 of the category.

  When recording a log, information that can be traced is embedded in the read document data (for example, embedding of an electronic watermark, embedding of a displayable label, addition of document attribute information, etc.). The displayable label may include the authentication data of the user who instructed reading and the time stamp at the time of instructing reading.

  Finally, the user acquires the image data of the paper document 60 in the accumulated data 62 and ends.

  As described above, the paper document (document) 60 can be read in accordance with the security policy shown in FIG.

  Next, a case where the image forming apparatus 1000 reads the paper original 60 and distributes the read document to the network will be described.

  First, the user sets a paper document 60 in the image forming apparatus 1000, and issues an input of reading conditions, designation of a distribution destination of read data, and a reading instruction of the paper document 60 from the operation panel 36.

  A reading unit 71 reads a paper document. The document attribute acquisition unit 1011 extracts a document ID from image information such as a barcode and digital watermark of image data of the read paper original 60, acquires a category and a security level, and notifies the operation requirement selection unit 1012 of the document ID.

  The operation requirement selection unit 1012 searches the corresponding entry in the DSP 2100 according to the document attribute notified by the document attribute acquisition unit 1011 and extracts the requirement.

  Based on the DSP 2100 shown in FIG. 29 described above, for example, when a document whose security level is “basic” is read and distributed to the network, there is no requirement for reading. However, as described above, when distributing to a network, “recording a log”, “applying a print restriction”, and “using a reliable channel” are requirements.

  In addition, based on the DSP 2100 shown in FIG. 29 described above, for example, when a document having a security level of “high” is to be read, “log recording” and “trackable information” are required as reading requirements. (For example, embedding an electronic watermark, embedding a displayable label, and adding document attribute information as described above) is a requirement. However, since there is no rule that permits distribution to the network, it is not permitted.

  For example, when the requirement for distributing the document to the network does not exist in the DSP 2100, the operation control unit 1013 instructs the data transmission unit 75 to distribute the document, distributes the document to the network, and performs processing. Exit.

  On the other hand, for example, when the requirements for distributing the document to the network exist in the DSP 2100, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied.

  When there is no rule that permits distribution to the network, the operation control unit 1013 notifies the user that “there is no rule that permits distribution to the network” and the image data of the paper document 60 Is discarded. For example, the security level is “high”.

  When the operation requirement selection unit 1012 determines that all the requirements cannot be satisfied, the operation control unit 1013 notifies the user and discards the image data of the paper document 60 to the data processing unit 74. To finish.

  For example, when all the requirements can be satisfied as in the case where the security level is “basic”, the operation control unit 1013 instructs the data processing unit 74 to perform the reading that satisfies the requirements, and The data transmission unit 75 is instructed to distribute the document to the network, and the process ends.

  Then, the user attribute acquisition unit 1012 issues a user ID input request to the user who has issued a reading instruction from the operation panel 36.

  When the user inputs a user ID from the operation panel 36, the user attribute acquisition unit 1021 acquires the category and security level corresponding to the user ID, and notifies the operation requirement selection unit 1012 of them. The operation control unit 1013 records a log according to the requirements notified from the operation requirement selection unit 1012.

  Further, the operation control unit 1013 converts the read image data of the paper document 60 into data that cannot be printed (for example, a PDF having an ADOBE (registered trademark) printing prohibition attribute). Instruct to do so.

  Finally, the operation control unit 1013 issues a distribution instruction to the data transmission unit 75, and the data transmission unit 75 distributes the document to the network through a reliable communication path (for example, IPsec, VPN, etc.), and ends.

  As described above, using the DSP 2100 shown in FIG. 29, the image forming apparatus 1000 as the document reading apparatus shown in FIG. 28 can read the document and distribute the read document to the network.

  A functional configuration of an image forming apparatus as a copying apparatus that realizes an operation in accordance with a security policy will be described with reference to FIG. FIG. 30 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. In FIG. 30, the same processing units as those in FIG. 28 are denoted by the same reference numerals, and detailed description thereof is omitted.

  30, an image forming apparatus 1000-2 as a copying apparatus includes a copying condition acquisition unit 81 instead of the reading condition acquisition unit 72 and the data transmission destination acquisition unit 73 of the image forming apparatus 1000 illustrated in FIG. The image forming apparatus 1000 is different from the image forming apparatus 1000 shown in FIG. 28 in that a printing unit 82 is provided instead of the data transmission unit 75 of the image forming apparatus 1000 shown in FIG.

  However, the image forming apparatus 1000 may further include a copy condition acquisition unit 81 and a printing unit 82 of the image forming apparatus 1000-2. A portion 1002 indicated by a dotted line may be omitted.

  The copy condition acquisition unit 81 acquires a copy condition input by the user to the operation panel 36 and notifies the reading unit 71 and the data processing unit 74 of the copy condition and also notifies the printing unit 82.

  In response to an instruction from the operation control unit 1013, the printing unit 82 acquires the image data of the paper document 60 from the accumulated data 62 and notifies the copy condition acquisition unit 81 to satisfy the requirements notified from the operation control unit 1013. The printing process is performed in accordance with the copied conditions, and a copy document 60b in which image data is formed on a sheet is output.

  The document attribute acquisition unit 1011 and the user attribute acquisition unit 1021 will be described in detail below.

  FIG. 31 is a diagram showing a case where document identification information is printed as a barcode. In the document 610 shown in FIG. 31, identification information is printed at a predetermined position with a barcode 611. In this case, as shown in FIG. 32, the document attribute acquisition unit 1011 is configured to acquire identification information directly from a document 610 as a paper document 60 and acquire document attributes from the identification information.

  FIG. 32 is a diagram illustrating a first functional configuration of the document attribute acquisition unit. In FIG. 32, the document attribute acquisition unit 1011-1 includes an identification information acquisition unit 1031, a document attribute reading unit 1032, and a document attribute DB 64.

  The identification information acquisition unit 1031 reads the parcode 611 of the document 610 shown in FIG. 31 from the paper document 60, acquires it as identification information, and notifies the document attribute reading unit 1032.

  The document attribute reading unit 1032 refers to the table T100, acquires the document attribute based on the identification information notified from the identification information acquisition unit 1031, and notifies the operation requirement selection unit 1012 of the document attribute.

  The document attribute DB 1011-1 manages document attributes using the table T <b> 100. The table T100 includes items such as a document ID, a category, a level, and a handleable zone as identification information. The document attribute reading unit 1032 can acquire information such as a category, a level, and a handleable zone as a document attribute.

  Such a functional configuration is suitable when a dedicated reading device such as a barcode, RFID, or MCR is already used.

  FIG. 33 is a diagram illustrating a case where the identification information of a document is printed with numbers. In the document 620 shown in FIG. 33, identification information is printed with a numeral 621 at a predetermined position. In this case, as shown in FIG. 34, the document attribute acquisition unit 1011 is configured to acquire identification information directly from a document 610 as a paper document 60 and acquire the document attribute from the identification information.

  FIG. 34 is a diagram illustrating a second functional configuration of the document attribute acquisition unit. In FIG. 34, processing parts similar to those in FIG. 32 are denoted by the same reference numerals, and description thereof is omitted.

  34, the document attribute acquisition unit 1011-2 is the same as the document attribute acquisition unit 1011-1 shown in FIG. 32 in that it includes an identification information acquisition unit 1031, a document attribute reading unit 1032 and a document attribute DB 64. However, by extracting the image data from the read image data 61 in which the image data of the paper document 60 once read by the reading unit 71 is stored and identifying it using a character recognition function such as OCR, the document attribute is set. The point to get is different. The data structure of the table T100 is the same as that of the document attribute acquisition unit 1011-1 shown in FIG.

  FIG. 35 is a diagram showing a case where document identification information is printed on the front side. In a document 630 shown in FIG. 35, a dot pattern indicating identification information is printed on the front surface.

  FIG. 36 is a diagram showing a case where security attributes of a document are printed in characters. In the document 640 shown in FIG. 36, for example, “secret” 641 indicating the document attribute is directly printed at a predetermined position.

  In such a case, the image data acquired by the reading unit 71 is recognized by OCR or the like, and the document attribute printed at a predetermined position is acquired.

  FIG. 37 is a diagram illustrating a third functional configuration of the document attribute acquisition unit. In FIG. 37, the document attribute acquisition unit 1011-3 includes a character reading unit 1035, a category dictionary 65, a level dictionary 66, a database that manages a handling zone dictionary 67, and the like.

  Next, the user attribute acquisition unit 1021 will be described in detail.

  FIG. 38 is a diagram illustrating a functional configuration of the user attribute acquisition unit. 38, the user attribute acquisition unit 1021 includes a user information acquisition unit 1041, a user authentication unit 1042, a user attribute reading unit 1043, and a user attribute DB 68.

  The user information acquisition unit 1041 acquires user information input to the operation panel 36 by the user and notifies the user authentication unit 1042 of the user information.

  The user authentication unit 1042 performs user authentication based on the user information by referring to the user attribute DB 68, acquires the user attribute when the authentication is successful, and notifies the user attribute reading unit 1043 of the user attribute.

  The user attribute DB 68 has user ID and password items as user information, and manages user attributes by a table T200 having items such as categories and levels as user attributes.

  The user attribute reading unit 1043 notifies the operation requirement selection unit 1012 of the user attribute.

  It can be realized by an external server as well as the document attribute. By using an external server, it is possible to easily realize cooperation with users who use Windows (registered trademark), LotusNotes, and the like.

  FIG. 39 is a diagram illustrating a functional configuration in a case where user attributes are acquired from an external server. In FIG. 39, processing parts similar to those in FIG. In FIG. 39, the user attribute acquisition unit 1012-2 includes a user information acquisition unit 1041 and a communication processing unit 1045.

  The communication processing unit 1045 requests user attributes by transmitting user information to the user attribute server 80 as an external server, and notifies the operation requirement selection unit 1012 of the user attributes acquired from the user attribute server 80.

  The user attribute server 80 as an external server includes a communication processing unit 85, a user authentication unit 82, a user attribute reading unit 83, and a user attribute DB 69.

  The communication processing unit 85 notifies the user information to the user authentication unit 82 in response to a request from the user attribute acquisition unit 1021-2.

  The user authentication unit 82 refers to the user attribute DB 689, performs user authentication based on the user information, acquires the user attribute when the authentication is successful, and notifies the communication processing unit 85 of the user attribute.

  The communication processing unit 85 notifies the user attribute to the user attribute acquisition unit 1021-2.

  As described above, since the embedded information is at least one of barcode information, watermark information, and tint block information that uniquely identifies the document, the content and document attributes of the document are identified by the embedded information, and the processing related to the document is executed. Therefore, the security of the document can be ensured.

  An image forming apparatus 1000 according to an embodiment of the present invention is an apparatus having at least one of a plurality of different image forming functions such as a printer, a FAX, and a copy.

It is a figure which shows the example of a security policy. It is a figure which shows the example of the list | wrist of a document label term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of the identification information of DSP. It is a figure which shows the example of a description for demonstrating the structure of DSP. It is a figure which shows the other example of description of DSP. FIG. 2 illustrates various media for storing and distributing a DSP. 1 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. FIG. 3 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy. It is a figure which shows the example of simplified DSP. FIG. 2 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. It is a figure which shows the case where the identification information of a document is printed by the barcode. It is a figure which shows the 1st function structure of a document attribute acquisition part. It is a figure which shows the case where the identification information of a document is printed by the number. It is a figure which shows the 2nd function structure of a document attribute acquisition part. It is a figure which shows the case where the identification information of a document is printed on the front. It is a figure which shows the case where the security attribute of a document is printed by the character. It is a figure which shows the 3rd function structure of a document attribute acquisition part. It is a figure which shows the function structure of a user attribute acquisition part. It is a figure which shows the function structure in the case of acquiring a user attribute outside from an external server.

Explanation of symbols

51 hard disk 52 magneto-optical disk 53 flexible disk 54 optical disk 55 computer 56 network 71 reading unit 72 reading condition acquisition unit 73 data transmission destination acquisition unit 74 data processing unit 1000 image forming apparatus 1001 policy execution unit 1011 document attribute acquisition unit 1012 operation requirement selection Unit 1013 operation control unit 1021 user attribute acquisition unit 2000 DSP

Claims (14)

Document attribute management means for managing document attribute management information in which identification information defined for a document is associated with a document attribute including a document category and a security level in advance ;
Identification information recognition means for recognizing data acquired by a predetermined reading operation on a document as the identification information;
Document attribute acquisition means for acquiring the document attribute corresponding to the identification information recognized by the identification information recognition means by referring to the document attribute management information ;
Based on a document security policy corresponding to the category and security level acquired by the document attribute acquisition unit, whether the predetermined operation is permitted or not is determined for each predetermined operation that is a predetermined operation of the image forming apparatus. In addition, in the case of permission, an operation requirement selection means for selecting an operation requirement in the case of permission and outputting the determination and selection result ;
Operation control means for controlling execution of the predetermined action based on the determination and selection result output by the action requirement selection means,
The above security policy is
The predetermined operation every authorization operation or non-permission is defined, if該許friendly is defined, the operation requirements for permitting operation is defined,
The operation control unit instructs the data processing unit that performs data processing of the document to prohibit data processing when the determination and selection result of the operation requirement selection unit is not permitted, and selects the operation requirement. If the determination result of the means is permission, the data processing unit is instructed to perform data processing so as to satisfy the requirements,
The image forming apparatus , wherein the operation requirement defined in the security policy is a security requirement for the document . The predetermined operation is, according to claim 1 Symbol placing the image forming apparatus and forming an image in an electronic data. The predetermined operation is, the image forming apparatus according to claim 1, wherein the printing the document on paper. The image forming apparatus of any one of claims 1 to 3, further comprising a user attribute obtaining means for obtaining user attributes related to the user requesting the predetermined operation. The user attribute acquisition means includes
User identification information acquisition means for acquiring user identification information for identifying the user by input from the user;
User attribute management means for managing user attribute management information in which the user identification information and the user attribute are associated in advance ;
User authentication means for authenticating the user based on the user identification information;
User attribute acquisition means for acquiring the user attribute corresponding to the user identification information acquired by the user identification information acquisition means by referring to the user attribute management information based on an authentication result by the user authentication means; The image forming apparatus according to claim 4, further comprising: The user attribute acquisition means includes
User identification information acquisition means for acquiring user identification information for identifying the user from the user;
5. The image forming apparatus according to claim 4, further comprising: a user attribute request unit that authenticates the user and requests the user attribute from an external server that provides the user attribute. The operational requirements, when the execution of the predetermined operation with respect to the document, the image forming apparatus of any one of claims 1 to 6, characterized in that to indicate that the watermarking. The operational requirements, when the execution of the predetermined operation with respect to the document, the image forming apparatus of any one of claims 1 to 6, wherein the instructing embedding a displayable labels. 9. The image forming apparatus according to claim 8 , wherein the displayable label includes at least authentication data of a user who has requested the predetermined operation and a time stamp when the predetermined operation is requested. When the predetermined operation is performed on the document, the operation requirements include at least the authentication data of the user who requested the predetermined operation, the document data of the document generated by the predetermined operation, and the time when the reading is instructed. 7. The image forming apparatus according to claim 5 , wherein a time stamp is recorded in a log. An identification information recognition procedure for recognizing data acquired by a predetermined reading operation on a document as identification information;
The identification information determined for the document, by referring to the document attribute management information of the document attribute management means for managing previously corresponding with the document attribute management information and document attributes including categories and security level of the document, A document attribute acquisition procedure for acquiring the document attribute corresponding to the identification information recognized by the identification information recognition procedure;
Based on the document security policy corresponding to the category and the security level acquired by the document attribute acquisition procedure, whether the predetermined operation is permitted or not is determined for each predetermined operation that is a predetermined operation of the image forming apparatus. Further, in the case of permission, an operation requirement selection procedure for selecting an operation requirement in the case of permission and outputting the determination and selection result ;
An operation control procedure for controlling execution of the predetermined operation based on the determination and selection result output by the operation requirement selection procedure,
The above security policy is
Permission or non-permission of operation for each of the predetermined operation is defined, if該許friendly is defined, operatively requirements GaTadashi constant to allow the operation,
The operation control procedure instructs the data processing unit that performs data processing of the document to prohibit data processing when the determination and selection result by the operation requirement selection procedure is not permitted, and selects the operation requirement. If the determination result by the procedure is permission, the data processing unit is instructed to perform data processing so that the requirement is satisfied,
The image forming method , wherein the operation requirement defined in the security policy is a security requirement for the document . An operation requirement determination procedure for determining whether or not the operation requirement is executable;
The image forming method according to claim 11, further comprising: an operation prohibiting procedure for prohibiting the predetermined operation when the determination result of the operation requirement determining procedure indicates that the operation requirement is not executable. An identification information recognition procedure for recognizing data acquired by a predetermined reading operation on a document as identification information;
The identification information determined for the document, by referring to the document attribute management information of the document attribute management means for managing previously corresponding with the document attribute management information and document attributes including categories and security level of the document, A document attribute acquisition procedure for acquiring the document attribute corresponding to the identification information recognized by the identification information recognition procedure;
Based on the document security policy corresponding to the category and the security level acquired by the document attribute acquisition procedure, whether the predetermined operation is permitted or not is determined for each predetermined operation that is a predetermined operation of the image forming apparatus. Further, in the case of permission, an operation requirement selection procedure for selecting an operation requirement in the case of permission and outputting the determination and selection result ;
Based on the determination and selection result output by the operation requirement selection procedure, the computer executes an operation control procedure for controlling the execution of the predetermined operation,
The above security policy is
Permission or non-permission of operation for each of the predetermined operation is defined, if該許friendly is defined, operatively requirements GaTadashi constant to allow the operation,
The operation control procedure instructs the data processing unit that performs data processing of the document to prohibit data processing when the determination and selection result by the operation requirement selection procedure is not permitted, and selects the operation requirement. If the determination result by the procedure is permission, the data processing unit is instructed to perform data processing so that the requirement is satisfied,
The computer-executable program , wherein the operation requirement defined in the security policy is a security requirement for the document . An identification information recognition procedure for recognizing data acquired by a predetermined reading operation on a document as identification information;
The identification information determined for the document, by referring to the document attribute management information of the document attribute management means for managing previously corresponding with the document attribute management information and document attributes including categories and security level of the document, A document attribute acquisition procedure for acquiring the document attribute corresponding to the identification information recognized by the identification information recognition procedure;
Based on the document security policy corresponding to the category and the security level acquired by the document attribute acquisition procedure, whether the predetermined operation is permitted or not is determined for each predetermined operation that is a predetermined operation of the image forming apparatus. Further, in the case of permission, an operation requirement selection procedure for selecting an operation requirement in the case of permission and outputting the determination and selection result ;
Based on the determination and selection result output by the operation requirement selection procedure, the computer executes an operation control procedure for controlling the execution of the predetermined operation,
The above security policy is
Permission or non-permission of operation for each of the predetermined operation is defined, if該許friendly is defined, operatively requirements GaTadashi constant to allow the operation,
The operation control procedure instructs the data processing unit that performs data processing of the document to prohibit data processing when the determination and selection result by the operation requirement selection procedure is not permitted, and selects the operation requirement. If the determination result by the procedure is permission, the data processing unit is instructed to perform data processing so that the requirement is satisfied,
The computer-readable storage medium storing a computer-executable program , wherein the operation requirement defined in the security policy is a security requirement for the document .

Images